I found this phish in the wild and it’s pretty concerning. The email originated on PayPal’s email servers and links to PayPal’s web servers. The malicious actor was able to send a “legitimate” invoice with a request to pay through PayPal’s servers. If you click the link to pay the invoice, you are taken to the legitimate PayPal login screen and I assume, since I will not enter my PayPal credentials there, you’ll be in your account and ready to pay the invoice through PayPal. If you choose to call the phone number, you’ll be connected to a call center in India where they’ll likely step you through the standard refund scam.
Here is the email:
Here are the headers showing it originated on PayPal’s servers:
Here is the page you are taken to if you click the link:
This is the page you are taken to if you click the button to pay the invoice:
Note the email address PayPal says originated the invoice at the bottom of the page.